njrat | 9f4bf59a47155bbab62e0f5ab2e9a9eb4d734a151fd379357bb7096b36494e17

Analysis

max time kernel
487s
max time network
488s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2025 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

njRAT v0.7d Green Edition.7z
Size

1.6MB
MD5

d3e6fcd5df337cbdd82e20ec733974c6
SHA1

cdfe616636aa7bbfde3fe213e23adf86ee630907
SHA256

9f4bf59a47155bbab62e0f5ab2e9a9eb4d734a151fd379357bb7096b36494e17
SHA512

f9c1273527d7d5cd40b32c9b554d35d7963ad634700abd4cbe8b45a0e1e13feec5b685cd6dbbb75b1eea1caf27cdf6c5054d3fff3a65ea6686be20de3abee84e
SSDEEP

49152:p2hBKynG7aq/lhMSO6fCOCX+W3au6TSR1:p2DKyG//lySz6f31

Score

10^/10

njrat hacked defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

HacKed

127.0.0.1:5552

Mutex

fedf8177701c2b8eba54e8334d5decb3

Attributes

reg_key
fedf8177701c2b8eba54e8334d5decb3
splitter
|'|'|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
25	4560	Process not Found

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4688	netsh.exe
4672	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\Control Panel\International\Geo\Nation	NjRat 0.7D Green Edition by im523.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fedf8177701c2b8eba54e8334d5decb3.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fedf8177701c2b8eba54e8334d5decb3.exe	server.exe

Executes dropped EXE 3 IoCs

pid	Process
4808	NjRat 0.7D Green Edition by im523.exe
2344	Server.exe
1508	server.exe

Loads dropped DLL 4 IoCs

pid	Process
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fedf8177701c2b8eba54e8334d5decb3 = "\"C:\\Windows\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\fedf8177701c2b8eba54e8334d5decb3 = "\"C:\\Windows\\server.exe\" .."	server.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	D:\autorun.inf	server.exe
File created	F:\autorun.inf	server.exe
File opened for modification	F:\autorun.inf	server.exe
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\server.exe	Server.exe
File opened for modification	C:\Windows\server.exe	Server.exe
File opened for modification	C:\Windows\server.exe	server.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NjRat 0.7D Green Edition by im523.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilasm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2956	cmd.exe
1152	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133835885407886706"	chrome.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5400310000000000495a0a7b100031323331323300003e0009000400efbe495a057b495a0a7b2e000000193c020000000e000000000000000000000000000000658b4500310032003300310032003300000016000000	NjRat 0.7D Green Edition by im523.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NjRat 0.7D Green Edition by im523.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NjRat 0.7D Green Edition by im523.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NjRat 0.7D Green Edition by im523.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NjRat 0.7D Green Edition by im523.exe
Key created	\REGISTRY\USER\S-1-5-21-3311063739-2594902809-44604183-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NjRat 0.7D Green Edition by im523.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe
1508	server.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1340	7zFM.exe
4808	NjRat 0.7D Green Edition by im523.exe
1508	server.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1340	7zFM.exe
Token: 35	1340	7zFM.exe
Token: SeSecurityPrivilege	1340	7zFM.exe
Token: 33	1552	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1552	AUDIODG.EXE
Token: SeDebugPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: 33	1508	server.exe
Token: SeIncBasePriorityPrivilege	1508	server.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe
Token: SeShutdownPrivilege	3860	chrome.exe
Token: SeCreatePagefilePrivilege	3860	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1340	7zFM.exe
1340	7zFM.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
4808	NjRat 0.7D Green Edition by im523.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
3860	chrome.exe
4808	NjRat 0.7D Green Edition by im523.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	NjRat 0.7D Green Edition by im523.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4808 wrote to memory of 3228	4808	NjRat 0.7D Green Edition by im523.exe	109
PID 4808 wrote to memory of 3228	4808	NjRat 0.7D Green Edition by im523.exe	109
PID 4808 wrote to memory of 3228	4808	NjRat 0.7D Green Edition by im523.exe	109
PID 2344 wrote to memory of 1508	2344	Server.exe	113
PID 2344 wrote to memory of 1508	2344	Server.exe	113
PID 2344 wrote to memory of 1508	2344	Server.exe	113
PID 1508 wrote to memory of 4688	1508	server.exe	114
PID 1508 wrote to memory of 4688	1508	server.exe	114
PID 1508 wrote to memory of 4688	1508	server.exe	114
PID 3860 wrote to memory of 2280	3860	chrome.exe	122
PID 3860 wrote to memory of 2280	3860	chrome.exe	122
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 4056	3860	chrome.exe	123
PID 3860 wrote to memory of 2348	3860	chrome.exe	124
PID 3860 wrote to memory of 2348	3860	chrome.exe	124
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125
PID 3860 wrote to memory of 4908	3860	chrome.exe	125

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\njRAT v0.7d Green Edition.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1340

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODAyMDc4MkQtMkVCQS00Mjc5LUFDNTgtNkU0RDZGNEVCNEU4fSIgdXNlcmlkPSJ7M0Y3RUNBMTYtMTg3NC00MTE1LTk2MkQtMzI3NkFEQTZBQjc3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjNEMTQ1QjctN0Y4RC00NkY0LUI2MEUtNzM1RjIzMTIyRkZCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5ODUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODQ0NDQzNjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODgwNDYzMDU4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4172

C:\Users\Admin\Desktop\123123\NjRat 0.7D Green Edition by im523.exe
"C:\Users\Admin\Desktop\123123\NjRat 0.7D Green Edition by im523.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe" /alignment=512 /QUIET "C:\Users\Admin\AppData\Local\Temp\stub.il" /output:"C:\Users\Admin\Desktop\123123\Server.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3228

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x34c 0x40c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\Desktop\123123\Server.exe
"C:\Users\Admin\Desktop\123123\Server.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\server.exe
  "C:\Windows\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4688
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Windows\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:4672
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /k ping 0 & del "C:\Windows\server.exe" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe4f9fcc40,0x7ffe4f9fcc4c,0x7ffe4f9fcc58
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2064,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=2376 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4812,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=4844 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5116,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=3440 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5084,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5000,i,17996725717477697851,10335159162825188007,262144 --variations-seed-version=20250206-180041.353000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4380

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3eaf32d631c8f5dea862fc3fb22617a8

SHA1
50a1b8f226eebebb2ffc0b197b44c959fc184843

SHA256
69f9f8ab12ff8bc1381c8aafd193d1e8a2fea5fd26457c4df64740b6eccc6324

SHA512
f95732a33b34690313b00cb80efe0b5410f6452b81ff0d4bd546cdca3ede3ff8f6286bd807ab6334fca57b2f879af57f6869688f4209c41f11200e2a8405c2b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1ab7a0e66cd6472ee9bafb67a04085d0

SHA1
b39d249bbd28fa10afa5f99cd0bcb154fb87e964

SHA256
ef1d262a753ad2eacc45dcf97acd668a265b4c90c7850b6b01b3081a128c9a5e

SHA512
517b7caeab774875e8a2c6e9816d44e3aa076b13a5fe8ee767057c4109a771002c002f1a5a78166d1817d4f016de83b9a1795e686db761eff1fb3f7be2f83154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bc60761ee0895a7ed4d5316573e024c4

SHA1
419d8caa6f8da6b96fb362bb2f36abb89b64a418

SHA256
252790704d4f2b993382e2e1688236df2e62537aa4979ffe7b18b83045be26aa

SHA512
045ac7d6de608872af7090915c828d767e120d920818275cc951d163329ca01aba83fcbd62a3245f8a817b299249f314c2fdd3fee8bdd0fdfd867ad0ed1841d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0450656610b1b99e1ba40510851597c0

SHA1
99c25c696c5dbb840debec64c2a3cd0ccb652ebb

SHA256
a66fa61ea39f20f78b3f3daeb882e07e36397b8277883292a0e120721334d490

SHA512
6e7230b308cca738a1ebb4b96c5595c26f8f951315f53d938e34af65ec38bb3509563084e0ccc4b4597224bb3489b1c0bdaec4ac06c127d27a1db725cd89245c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eeb861d3a77e20178a68022bdb8bd0af

SHA1
b1ef1466edf5f909b0a4a9d2fb7d3a8a9a9857ee

SHA256
27331ada973ecf452c4d1536bb2d68db3ba64070bc1d9cb94120bad341f28ae6

SHA512
65e804c80c2da130fda387a833aa688634aa1cb39d8f3d3447941cce03fe982f598f0c64eb69b62aea03817618b533eee678df060c92e68d5ba60dc1dd92d27b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
921fdfc1899feadac273474257709a14

SHA1
99ed58fe81c7b5ecb85803e2cc74451cccf4715d

SHA256
d625696545c271f834fe90fd4a8817e4b684374722decd257cb3f5417fd8b5ad

SHA512
e09142e21a7e6d062e9c6b2962b6b2c46e1b7b05e2f70cf5b68f68677626183b28f2a68d69f946b756cbf055a51bf8ad4075ed7d844c16f9ac483790c13a44bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c14854a85fa65d92e09d02e65885cbf1

SHA1
246221070cbbb48bb8ae6e4841b7407cbe1b07fc

SHA256
13997f3218e44c7d7f6bfd6e98c49ffaa571929c872f99276a7795535ccc4402

SHA512
6e0ad0ac74e5d0fd24d1bb64ea5a573e2619be64b8f82efe3dc4814fac2a6dc88809ebe07207a4e4e348d391c3516da3508594155aa2005204c4b1aff9756c8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1e1f5fc658dcc5008138c7c53bf5e584

SHA1
eb54e83381bb43acea3491c7a448cd0475136e25

SHA256
444878e4e46fb7119471c8fac2584183d8ca21294a3afa377f120112f03e8423

SHA512
70158f75328d0e33eca4567e0b7a32de4b78cc288f686f159d09b2a80b55ab71cc7eef090125371083a83c144fd6f0f484df7a71b92c750e945df9b5914d42f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
48e9300af3558fc633e1b766a370a8e1

SHA1
95c3d54ae807689f6eeb1607d550d47a9ab233d7

SHA256
3c6a1d898ef526b8ca082843c3284854c48f652c568859cfcf9ec53fb217a0e4

SHA512
a249b337e64d5dab5975fe66f54356f1e09de6e9fb186ba36d06a92a2e0870489cf35dcccdbf8aac6a9fb1152b26db7ff350c0492e2f9979e810f5b3b803e7cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
69538a7cc8d039b04f445f45051bd6ea

SHA1
fbef44f2c3da727ba445c6bc0d33b71b7802e716

SHA256
06b7413beb1a0de55efa2505c8fda6ddfe1686f647c3dbc81435dac536c24f29

SHA512
912af1e1c5f3fc65ac9acbb489f59c6f570b8624527263f2119cb7c0bd90d599ad967204836184707a0e9fca8dc44da58c5e592d6252c5df2a99acdd5ed1fb15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0d7a615927a2cfe3cfb877c19fd84035

SHA1
398fea2473c6ac3845e1fcc64a71686ea25d38c1

SHA256
0bfcdecfa1050113c5c3876e0605448923ca044ea2cd008ca67f4f05bbbb71b1

SHA512
542c19379f652ad1a1f56f75645913b63c0ec95ba2d9287eb859cd4ee5f783faa81d35dcad7939cdd823721a16a9516dd73248b84ec3c89f960bacd9fc05b6b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e2a2977bf0ab50bac83a2db411b03f72

SHA1
e525c22cf455fe0dd229bf2d42d047506882271f

SHA256
4b1836b3568df658f5cbafa3f5630e9cc0530a3f6f8332f890cb8a2f4fc2d4aa

SHA512
c948dd458abfb254cd4b4058ef1004009ca8b93e1b8768cc29651807f9c1ad24c450a3875edcce9a8535d98d8c9ecb89b80faa1d644cc034653a22c6592f7125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
c26e35c1b46f9371b59a316662efb666

SHA1
b68d39f24c0f1b550aa6173dfbdc38bf029405a3

SHA256
69ee21f645ddff4dc97c12a9c7aa88569106357a63d470eeb6a3f014e1b8b17a

SHA512
0bd63bdebd6a8f9b6a6a81b17e7a4adffaf535edcdcb2778c706ce80c3e24300fcff1ad04ea95f69ec972133d36bdcb92857b9a3a2228a70e5660a5f410db721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
826a63832161888eb13967b5171ec6a6

SHA1
cfddc7b10917b3a02305190d57ae6cb39d455eef

SHA256
799e78ca41c9a444ea7daf19d4ef7a8b87e55224c15d8515c440bbc549e4899c

SHA512
d90929436434ad800523c307d4c222df677327f99ede9e17d047a257528f933b1b563a72a08bff35ceef88fe57c3c54133ab937480932cecb3c1b0bea57ced6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\stub.il

Filesize
399KB

MD5
3b8d737af24f3d90d71df778a82cbbef

SHA1
967e5242727da51448542380f674035af48b0477

SHA256
9dfa1f65a39795172dcb7ae0a9e9f56f098abd437ffbad9e634f41d4e1dbae9c

SHA512
2cca2ff3169e0efe4f8bb217f84b85862c9851083d93c2248ae34a4272f913a204df4e6192260de26de5558df64f08276ea5db4cee9dd04bde83958976ad9650

Download Submit
C:\Users\Admin\Desktop\123123\GeoIP.dat

Filesize
1.2MB

MD5
797b96cc417d0cde72e5c25d0898e95e

SHA1
8c63d0cc8a3a09c1fe50c856b8e5170a63d62f13

SHA256
8a0675001b5bc63d8389fc7ed80b4a7b0f9538c744350f00162533519e106426

SHA512
9bb0c40c83551000577f8cf0b8a7c344bc105328a2c564df70fabec978ad267fa42e248c11fb78166855b0816d2ef3ec2c12fe52f8cc0b83e366e46301340882

Download Submit
C:\Users\Admin\Desktop\123123\NjRat 0.7D Green Edition by im523.exe

Filesize
1.6MB

MD5
1033c448810d3b507423546432e2f502

SHA1
2bf9d04f68ed15b957378fb95daa78c85d5b2b26

SHA256
f0c85722b88d1e7a1941ba17551cd5c29aef99fad86d78a5631a0f5446b3f580

SHA512
aeb964632dfad41fc383a68ace0e6beb152a7075f21a32e449624a27da5d2a5ccda0665fbd90597d65d74b0790877baf6f81336660b1df4bf38b41cd0bc6cd44

Download Submit
C:\Users\Admin\Desktop\123123\Server.exe

Filesize
36KB

MD5
5abb794c4e72ea190dbd0a3de916d786

SHA1
248b987bbd6b0f90fbe057097972f7ad0d29c016

SHA256
b1a73ea7d69ab2754a5061f31f6561bd8b918ec5ed65b420b7532a9f5eb7c161

SHA512
6bda81dce856d33a041f11ee948a8033e5a1e6a418a53136349c7e404eb138993d3419f84212ced2e96f2e3bd8f93e588e28f13ebaa65e5cdb1d0eee90df7e82

Download Submit
C:\Users\Admin\Desktop\123123\Sound\Sound.wav

Filesize
643KB

MD5
562fb3b4b1b1eafd2cf107f2e92e0670

SHA1
cebf2a65c99e1b2c13d7212bf111bdf0fe5c13ce

SHA256
5ff592b183b2c990448f1dcd842a29cfe17a3eaa9956e0135c945c578676344a

SHA512
807cd580a04c84fb671c1dfa0fc2b90bbf2428e4727d7fa3956011623cae5c7e093acf55d5f0ad325116b729c96e845f06f3fc3007e8048238aacdea7f21386a

Download Submit
C:\Users\Admin\Desktop\123123\Stub.il

Filesize
399KB

MD5
3575abf7ab346ec4039138fad1fab4b7

SHA1
c5c7b08cfcb707cab339d966e36de6c3c97bd7f5

SHA256
ed79411707d5a9925f1146e595983804e4eeafe35e72eb51703908eff13cc073

SHA512
2044d78e20a4d7b8acbc0ebf61c38176314ccf02a0b009b161530b78658444faed8304a628938514d98effe5ebdd81275e1328f65d98ec3f2e545f9c9de56179

Download Submit
C:\Users\Admin\Desktop\123123\Stub.manifest

Filesize
487B

MD5
4d18ac38a92d15a64e2b80447b025b7e

SHA1
5c34374c2dd5afa92e0489f1d6f86dde616aca6c

SHA256
835a00d6e7c43db49ae7b3fa12559f23c2920b7530f4d3f960fd285b42b1efb5

SHA512
72be79acd72366b495e0f625a50c9bdf01047bcf5f9ee1e3bdba10dab7bd721b0126f429a91d8c80c2434e8bc751defdf4c05bdc09d26a871df1bb2e22e923bf

Download Submit
C:\Users\Admin\Desktop\123123\WinMM.Net.dll

Filesize
43KB

MD5
d4b80052c7b4093e10ce1f40ce74f707

SHA1
2494a38f1c0d3a0aa9b31cf0650337cacc655697

SHA256
59e2ac1b79840274bdfcef412a10058654e42f4285d732d1487e65e60ffbfb46

SHA512
3813b81f741ae3adb07ae370e817597ed2803680841ccc7549babb727910c7bff4f8450670d0ca19a0d09e06f133a1aaefecf5b5620e1b0bdb6bcd409982c450

Download Submit
C:\Users\Admin\Desktop\123123\plugin\cam.dll

Filesize
63KB

MD5
a73edb60b80a2dfa86735d821bea7b19

SHA1
f39a54d7bc25425578a2b800033e4508714a73ed

SHA256
7a4977b024d048b71bcc8f1cc65fb06e4353821323f852dc6740b79b9ab75c98

SHA512
283e9206d0b56c1f8b0741375ccd0a184410cf89f5f42dfe91e7438c5fd0ac7fa4afbb84b8b7ea448b3093397552fd3731b9be74c67b846d946da486dcf0df68

Download Submit
C:\Users\Admin\Desktop\123123\plugin\ch.dll

Filesize
24KB

MD5
73c8a5cd64fcf87186a6a9ac870df509

SHA1
7ea0bd1f15d7c8bc8b259b3a409b2cd3b0fe3eec

SHA256
7722206dba0cfb290f33093f9430cb770a160947001715ae11e6dbbfaef1c0ee

SHA512
b5faaf370d951bccd34da369e970d75c8f038bbfc99cf042c89a4ceb9cc077c1c8fc81318d79180c67373cca8024d27aaba052d4cee82a3aeda8d59ad0ac817d

Download Submit
C:\Users\Admin\Desktop\123123\plugin\mic.dll

Filesize
50KB

MD5
d4c5ddc00f27162fc0947830e0e762b7

SHA1
7769be616d752e95d80e167f2ef4cc6b8c3c21fe

SHA256
b6fb6b66821e70a27a4750b0cd0393e4ee2603a47feac48d6a3d66d1c1cb56d5

SHA512
9555f800213f2f4a857b4558aa4d030edf41485b8366812d5a6b9adcc77fc21584e30d2dd9ce515846f3a809c85038958cb8174bf362cf6fed97ca99a826e379

Download Submit
C:\Users\Admin\Desktop\123123\plugin\plg.dll

Filesize
28KB

MD5
0cbc2d9703feead9783439e551c2b673

SHA1
4f8f4addd6f9e60598a7f4a191a89a52201394a8

SHA256
ea9ecf8723788feef6492bf938cdfab1266a1558dffe75e1f78a998320f96e39

SHA512
06f55b542000e23f5eeba45ea5ff9ffaddddd102935e039e4496af5e5083f257129dab2f346eeae4ee864f54db57d3c73cf6ed1d3568087411203769cf0ddd66

Download Submit
C:\Users\Admin\Desktop\123123\plugin\pw.dll

Filesize
251KB

MD5
872401528fc94c90f3de6658e776cc36

SHA1
c58e22158774d16831350de79eb4e1711379e8a6

SHA256
3a1cc072effd8c38406a6fddf4d8f49c5366bb0e32071311d90db669940987ce

SHA512
6da881fb968ba9d9200777a9f19d69220468482f3eaaf687c433790d512da520f5adb23441fdc8f3fd10785918eb2864ea3ef32ddb80d2f6665550ea455f4a2f

Download Submit
C:\Users\Admin\Desktop\123123\plugin\sc2.dll

Filesize
12KB

MD5
19967e886edcd2f22f8d4a58c8ea3773

SHA1
bf6e0e908eaad659fdd32572e9d73c5476ca26ec

SHA256
3e5141c75b7746c0eb2b332082a165deacb943cef26bd84668e6b79b47bdfd93

SHA512
d471df3f0d69909e8ef9f947da62c77c3ff1eb97ac1dd53a74ad09fb4d74ec26c3c22facc18ec04f26df3b85b0c70863119f5baa090b110ab25383fcdb4e9d6e

Download Submit
memory/4808-40-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download
memory/4808-27-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download